RE: Strange scan on 1433

From: Blake Frantz (blake@mc.net)
Date: 05/21/02 

From: "Blake Frantz" <blake@mc.net>
To: <david_laporte@harvard.edu>, "'Pavel Lozhkin'" <pavel@atrivo.com>, <incidents@securityfocus.com>
Date: Tue, 21 May 2002 11:46:49 -0500

>-----Original Message-----
>From: David LaPorte [mailto:david_laporte@harvard.edu]
>Sent: Tuesday, May 21, 2002 10:23 AM
>To: Pavel Lozhkin; incidents@securityfocus.com
>Subject: RE: Strange scan on 1433
>
>They're looking for MS-SQL servers with blank/default sa passwords that
are missing the MS02-020
>
>

It's not limited to *blank* sa passwords:

From: http://www.incidents.org/diary/diary.php?id=156

<snip>
IMPORTANT ADDITION (thanks to George Bakos, ISTS for pointing this out):
The worm includes code to brute force the SA password. Using a password
larger than 8 characters, or a password containing non alphanumeric
characters (punktuation) will defend against this brute forcing.
</snip>

Additionally, roelof@sensepost.com / haroon@sensepost.com from sensepost
wrote a .pl for finding blank sa passwords. Some may find it useful.
http://www.sensepost.com/misc/SQLinsertion.htm

-Blake

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ... I can see only two advantages of complex passwords: ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • Re: Paper & pencil password algorithm
    ... generator and generate a password as a permutation of a whole ... The advantage of a random sequence generator is that I can make my ... I can't imagine ever wanting passwords ... convenience I'll probably keep most of them between 20 and 50 characters ...
    (sci.crypt)
  • RE: Password statistics and standards
    ... If you shut off the storage of LM hashes, over 9 Characters will buy you ... Take a look at Perfect Passwords for some creative ideas: ... information about accounts which is helpful in telling me ... Norwich University ...
    (Security-Basics)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... the need for non-alpha characters. ... I've seen passwords with zeros for O's and 3's for E's. ... What hacker ever think of that? ...
    (comp.os.vms)